b'   June 10, 2005\n\n\n\n\nInformation Technology Management\n\nReporting of DoD Capital Investments for\nInformation Technology in Support of the\nFY 2006 Budget Submission\n(D-2005-083)\n\n\n\n\n            Department of Defense\n           Office of Inspector General\nQuality             Integrity        Accountability\n\x0c  Additional Copies\n\n  To obtain additional copies of this report, visit the Web site of the Department of\n  Defense Inspector General at http://www.dodig.mil/audit/reports or contact the\n  Secondary Reports Distribution Unit, Audit Followup and Technical Support at\n  (703) 604-8937 (DSN 664-8937) or fax (703) 604-8932.\n\n  Suggestions for Future Audits\n\n  To suggest ideas for or to request future audits, contact Audit Followup and\n  Technical Support at (703) 604-8940 (DSN 664-8940) or fax (703) 604-8932.\n  Ideas and requests can also be mailed to:\n\n                    ODIG-AUD (ATTN: AFTS Audit Suggestions)\n                      Department of Defense Inspector General\n                        400 Army Navy Drive (Room 801)\n                            Arlington, VA 22202-4704\n\n\n\n\nAcronyms\nASD(NII)              Assistant Secretary of Defense for Networks and Information\n                         Integration\nDBSMC                 Defense Business Systems Management Committee\nCFO                   Chief Financial Officer\nCIO                   Chief Information Officer\nCIR                   Capital Investment Report\nIT                    Information Technology\nOMB                   Office of Management and Budget\n\x0c                                  INSPECTOR GENERAL\n                                DEPARTMENT OF DEFENSE\n                                 400 ARMY NAVY DRIVE\n                            ARLINGTON, VIRGINIA 22202-4704\n\n\n\n                                                                                 June 10,2005\nMEMORANDUM FOR UNDER SECRETARY OF DEFENSE ACQUISITION,\n                 TECHNOLOGY. AND LOGISTICS\n                          FINANCIAL OFFICER\n                        UNDER SECRETARY OF DEFENSE PERSONNEL AND\n                          - -.ADTNESS\n                          RF   -- .---\n                        ASSISTANT SECRETARY OF DEFENSE FOR NETWORKS AND\n                          INFORMATION INTEGRATION /DOD CHIEF INFORMATION\n                          OFFICER\nSUBJECT: Report on Reporting of DoD Capital Investments for Information Technology in\n         Support of the FY 2006 Budget Submission (Report No. D-2005-083)\n\n     We are providing this report for review and comment. We considered management\ncomments on a draft of this report when preparing the final report.\n        DoD Directive 7650.3 requires that all recommendations be resolved promptly. As a\nresult of management comments, we revised Recommendation 1. to clarify our position on\nimproving the quality of information technology reporting to the Office of Management and\nBudget and Congress, and redirected Recommendation 1. to the Under Secretary of Defense for\nAcquisition, Technology, and Logistics and the Under Secretary of Defense for Personnel and\nReadiness, in addition to the Under Secretq of Defense (Comptrol1er)lChiefFinancial Officer\nand the Assistant Secretary of Defense for Networks and Information IntegrationIDoD Chief\nInformation Officer. Therefore, we request that the Under Secretary of Defense for Acquisition,\nTechnology, and Logistics and the Under Secretary of Defense for Personnel and Readiness, in\naddition to the Under Secretary of Defense (Comptrol1er)lChief Financial Officer and the\nAssistant Secretary of Defense for Networks and Information IntegrationIDoD Chief\nInformation Officer provide comments on revised Recommendation 1. by July 8,2005.\n        If~ossible.lease send manaeement comments in elecwonic format (Adobe Acrobat file\nonly) to ~udam@~odia.osd.mil.      Copies of the management comments musi contain the actual\nsignature of the authorizing official. We cannot accept the / Signed / symbol in place of the\nactual signature. If you arrange to send classified comments elictronically, theymust be sent\nover the SECRET Internet Protocol Router Network (SIPRNET).\n         We appreciate the courtesies extended to the staff. Questions should be directed to\nMs. Kathryn M. Truex at (703) 604-8966 @SN 664-8966) or Mr. Robert R. Johnson at (703)\n604-9024 @SN 664-9024). See Appendix E for the report distribution. The team members are\nlisted inside the back cover.\n                                     By direction of the Deputy Inspector General for Auditing:\n\n\n\n\n                                         Assistant Inspator General\n                                 for Acquisition and Technology Management\n\x0c               Department of Defense Office of Inspector General\nReport No. D-2005-083                                                     June 10, 2005\n  (Project No. D2005-D000AL-0036.000)\n\n                  Reporting of DoD Capital Investments for\n                  Information Technology in Support of the\n                        FY 2006 Budget Submission\n\n                                Executive Summary\n\nWho Should Read This Report and Why? DoD managers preparing and certifying\ncapital investment justifications for information technology should read this report to\nimprove the quality of data being submitted by the Department of Defense to the Office\nof Management and Budget and Congress.\n\nBackground. Information technology is a President\xe2\x80\x99s Management Agenda priority for\nexpanding electronic government. In addition, Congress has challenged, in committee\nreport language, the quality of DoD information technology management because\ninformation technology documents and associated budget data that DoD provided were\ninaccurate, misleading, or incomplete. For FY 2006, the DoD Budget Estimate\nSubmission totaled $30 billion for information technology.\n\nResults. DoD Components did not adequately report information technology\ninvestments to the Office of Management and Budget in support of the DoD Budget\nRequest for FY 2006 because Component Chief Information Officers and Chief Financial\nOfficers did not always include required information in submitted reports. Specifically,\n157 of 171 (92 percent) Capital Investment Reports submitted to the Office of\nManagement and Budget in September 2004 did not completely respond to one or more\nrequired data elements addressing security funding, certification and accreditation,\ntraining and security plans, and enterprise architecture. As a result, the quality of DoD\ninformation reported to the Office of Management and Budget continues to have limited\nvalue and does not demonstrate, in accordance with Office of Management and Budget\nand DoD guidance, that DoD was effectively managing its proposed information\ntechnology investment for FY 2006. See the Finding section of the report for the detailed\nrecommendations.\n\nManagement Comments and Audit Response. The Deputy Comptroller, responding\nfor the Under Secretary of Defense(Comptroller)/Chief Financial Officer, commented\nthat responsibility for review and compilation of information technology (IT) material,\nprimarily the IT-43 exhibits, was realigned from the Under Secretary of Defense\n(Comptroller) to the Office of the Assistant Secretary of Defense (Command, Control,\nCommunications, and Intelligence) on January 14, 1998, and the Under Secretary of\nDefense (Comptroller) organization that was responsible for the IT-43 exhibits has been\ndisestablished. We agree that a 1998 realignment occurred; however, the Congress and\nthe Deputy Secretary of Defense have recently directed that the Under Secretary of\nDefense (Comptroller)/Chief Financial Officer; the Under Secretary of Defense for\nPersonnel and Readiness; and the Under Secretary of Defense for Acquisition,\nTechnology, and Logistics assume specific responsibilities with regard to information\n\x0ctechnology governance, in addition to those responsibilities assigned to the Assistant\nSecretary of Defense for Networks and Information Integration/DoD Chief Information\nOfficer (see Appendix D). Recommendation 1. has been revised and redirected to reflect\nthis guidance.\n\nThe Deputy Assistant Secretary of Defense (Resources), responding on behalf of the\nActing Assistant Secretary of Defense for Networks and Information Integration/DoD\nChief Information Officer, partially concurred and commented that the concurrent\nDoD/Office of Management and Budget program and budget review process rendered it\nneither feasible nor logical to withhold submission of Component information technology\nbudget requests that do not comply with the Office of Management and Budget and\ncongressional requirements, and/or have not been certified by the Component Chief\nInformation Officer and Chief Financial Officer as compliant with the requirements of\nthe DoD Regulation 7000.14-R, \xe2\x80\x9cFinancial Management Regulation,\xe2\x80\x9d Volume 2B,\nChapter 18, \xe2\x80\x9cInformation Technology Resources and National Security Systems,\xe2\x80\x9d\nJune 2004. The Deputy Assistant Secretary of Defense (Resources) commented that she\nwould enlist the help of the Office of the Under Secretary of Defense (Comptroller)/Chief\nInformation Officer to enforce the DoD Financial Management Regulation. As indicated\nabove, Recommendation 1. was revised in light of management comments and recent\ndirection from the Congress and the Deputy Secretary of Defense. See the Finding\nsection of the report for a discussion of management comments and the Management\nComments section of the report for the complete text of the comments.\n\nWe request that the Assistant Secretary of Defense for Networks and Integration/DoD\nChief Information Officer; the Under Secretary of Defense (Comptroller)/Chief Financial\nOfficer; the Under Secretary of Defense for Personnel and Readiness; and the Under\nSecretary of Defense for Acquisition, Technology, and Logistics provide comments on\nthe final report by July 8, 2005.\n\n\n\n\n                                           ii\n\x0cTable of Contents\n\nExecutive Summary                                                        i\n\nBackground                                                               1\n\nObjectives                                                               2\n\nFinding\n     Completeness of DoD Capital Investment Reports                      3\n\nAppendixes\n     A. Scope and Methodology                                           14\n         Prior Coverage                                                 14\n     B. FY 2006 Statement of Compliance Submissions by DoD Components   16\n     C. Exhibit 300 Questions Reviewed                                  17\n     D. Recent Information Technology Guidance                          19\n     E. Report Distribution                                             21\n\nManagement Comments\n     Under Secretary of Defense (Comptroller)/Chief Financial Officer   23\n     Assistant Secretary of Defense for Networks and Information\n        Integration/Chief Information Officer                           25\n\x0cBackground\n    DoD Components use information technology (IT) in a wide variety of mission\n    functions including finance, personnel management, computing and\n    communication infrastructure, logistics, intelligence, and command and control.\n    Information technology consists of any equipment or interconnected system or\n    subsystem of equipment that is used in the automatic acquisition, storage,\n    manipulation, movement, control, display, switching, interchange, transmission,\n    or reception of data or information. The President\xe2\x80\x99s Management Agenda for\n    expanding electronic government identified effective planning for information\n    technology investments as a priority. Improving information technology security\n    is one of the Office of Management and Budget\xe2\x80\x99s (OMB) highest priorities in\n    information technology management. In addition, Congress has challenged, in\n    committee report language, the quality of DoD information technology\n    management because information technology documents and associated budget\n    data that DoD provided were inaccurate, misleading, or incomplete. The\n    Assistant Secretary of Defense for Networks and Information Integration\n    (ASD[NII]), as the Chief Information Officer (CIO), is the principal staff assistant\n    to the Secretary of Defense for DoD information technology.\n\n    Public Law 107-347, Title III, \xe2\x80\x9cFederal Information Security Management Act of\n    2002,\xe2\x80\x9d December 17, 2002, requires agencies to address the adequacy and\n    effectiveness of information security policies and practices in plans and reports\n    relating to annual agency budgets.\n\n    Public Law 104-106, \xe2\x80\x9cNational Defense Authorization Act for Fiscal Year 1996,\xe2\x80\x9d\n    Division E, \xe2\x80\x9cInformation Technology Management Reform,\xe2\x80\x9d February 10, 1996,\n    commonly called the \xe2\x80\x9cClinger-Cohen Act,\xe2\x80\x9d requires effective and efficient capital\n    planning processes for selecting, managing, and evaluating the results of all major\n    investments in information technology. The Act requires that executive agencies:\n\n           \xe2\x80\xa2   Establish goals for improving the efficiency and effectiveness of\n               agency operations through the use of information technology;\n\n           \xe2\x80\xa2   Prepare an annual report, to be included in the executive agency\xe2\x80\x99s\n               budget submission to Congress, on the progress in achieving the goals;\n\n           \xe2\x80\xa2   Prescribe performance measurements for information technology and\n               measure how well information technology supports agency programs;\n\n           \xe2\x80\xa2   Measure quantitatively agency process performance for cost, speed,\n               productivity, and quality against comparable processes and\n               organizations in the private and public sectors where they exist;\n\n           \xe2\x80\xa2   Analyze the missions of the executive agency and, based on the\n               analysis, revise the executive agency\xe2\x80\x99s mission-related processes and\n               administrative processes as appropriate before making significant\n               investments in information technology; and\n\n\n\n\n                                         1\n\x0c           \xe2\x80\xa2   Ensure that information security policies, procedures, and practices of\n               the executive agency are adequate.\n\n    DoD uses the Information Technology Management Application database to plan,\n    coordinate, and disseminate the DoD information technology budget exhibits that\n    OMB and Congress require. The information technology budget request for\n    FY 2006 totaled $30 billion.\n\n    Components must submit an Exhibit 300, \xe2\x80\x9cCapital Investment Report,\xe2\x80\x9d for all\n    major information technology investments. Major information technology\n    investments:\n\n           \xe2\x80\xa2   require special management attention because of their importance to\n               an agency\xe2\x80\x99s mission;\n\n           \xe2\x80\xa2   were included in the FY 2005 submission and are ongoing;\n\n           \xe2\x80\xa2   are for financial management and more than $500,000;\n\n           \xe2\x80\xa2   are directly tied to the top two layers of the Federal Enterprise\n               Architecture;\n\n           \xe2\x80\xa2   have significant program or policy implications;\n\n           \xe2\x80\xa2   have high executive visibility; and\n\n           \xe2\x80\xa2   are defined as major investments by the agency\xe2\x80\x99s capital planning and\n               investment control process.\n\n    DoD management and OMB use the Exhibit 300 Investment Report to show that\n    the Component has employed the disciplines of good project management,\n    presented a strong business case for the investment, and defined the proposed\n    costs, schedule, and performance goals for the investment if funding approval is\n    obtained. When submitted, the Capital Investment Report (CIR) should be\n    complete and accurate and provide all the information that the Office of\n    Management and Budget requires. In September 2004, DoD submitted 171 CIRs\n    for the FY 2006 budget request to the Office of Management and Budget.\n\n\nObjectives\n    The overall audit objective was to assess whether the Services and DoD\n    Components are accurately reporting information technology investment data to\n    the Office of Management and Budget. Specifically, the audit determined\n    whether DoD Capital Investment Reports, that were submitted in September 2004\n    for the Office of Management and Budget FY 2006 reporting requirements\n    demonstrated that DoD is managing its information technology investments in\n    accordance with the Office of Management and Budget and DoD guidance. See\n    Appendix A for discussion of the scope and methodology.\n\n\n\n                                         2\n\x0c            Completeness of DoD Capital\n            Investment Reports\n            DoD Components did not adequately report information technology\n            investment data to the Office of Management and Budget in support of the\n            DoD Budget Request for FY 2006 because Component Chief Information\n            Officers and Chief Financial Officers did not always include the required\n            information in the reports that they submitted. Specifically, 157 of the\n            171 (92 percent) Capital Investment Reports submitted to the Office of\n            Management and Budget in September 2004 did not completely address\n            one or more required data elements in the sections on security and privacy\n            and enterprise architecture compliance. In addition, 47 percent of DoD\n            Components did not provide the required statement of compliance in\n            support of their Capital Investment Report submissions. As a result, the\n            quality of DoD information reported had limited value and did not\n            demonstrate that DoD was effectively managing its proposed $30 billion\n            information technology investment for FY 2006.\n\n\nCriteria\n     Office of Management and Budget Circular A-11. Office of Management and\n     Budget Circular A-11, \xe2\x80\x9cPreparation, Submission, and Execution of the Budget,\xe2\x80\x9d\n     Part 7, section 300, \xe2\x80\x9cPlanning, Budgeting, Acquisition, and Management of\n     Capital Assets,\xe2\x80\x9d July 2004, implements the Clinger-Cohen Act and establishes\n     policy and procedures for planning, budgeting, acquiring, and managing Federal\n     capital assets. Agencies are required to demonstrate to OMB in semi-annual\n     reports that major IT investments are directly connected to agencies\xe2\x80\x99 strategic\n     plans and provide a positive return on investment, sound acquisition planning,\n     comprehensive risk mitigation and management planning, realistic cost and\n     schedule goals, and measurable performance benefits. For the DoD FY 2006\n     budget request, the ASD(NII)/DoD CIO forwarded 171 CIRs to OMB. The CIR\n     is the primary means of justifying and managing IT investments.\n\n     DoD Financial Management Regulation. The DoD Financial Management\n     Regulation, Volume 2B, Chapter 18, \xe2\x80\x9cInformation Technology Resources and\n     National Security Systems,\xe2\x80\x9d June 2004, requires all DoD Components that have\n     any resource obligations for information technology or national security systems\n     to prepare Capital Investment Reports, which are mandated by Circular A-11.\n     The regulation requires Component Chief Information Officers and Chief\n     Financial Officers to jointly attest that the CIRs submitted are complete, accurate,\n     and consistent with the requirements of the Clinger-Cohen Act, Circular A-11,\n     and documented exceptions to the Circular, the DoD CIO budget guidance\n     memorandum, the Paperwork Reduction Act, and other applicable acts and\n     requirements.\n\n     National Defense Authorization Act for Fiscal Year 2005. The Ronald W.\n     Reagan National Defense Authorization Act for FY 2005, section 332, \xe2\x80\x9cDefense\n     Business Enterprise Architecture, System Accountability, and Conditions for\n\n\n                                          3\n\x0c    Obligation of Funds for Defense Business System Modernization,\xe2\x80\x9d subsection (h),\n    \xe2\x80\x9cBudget Information,\xe2\x80\x9d establishes policy and procedures for the Secretary of\n    Defense to follow when submitting budget information to Congress. For FY 2006\n    and beyond, the Secretary of Defense must identify each DoD business system for\n    which funding is proposed in that budget; identify all funds, by appropriation,\n    proposed in that budget for each system; identify the official to whom authority\n    for each system is delegated; and describe each certification for each system.\n\n\nCapital Investment Reports to the Office of Management\n  and Budget\n    The information technology Capital Investment Reports budget request that DoD\n    submitted for FY 2006 did not demonstrate that DoD was effectively and\n    efficiently managing information technology resources in accordance with\n    Circular A-11, July 2004. Our analysis of 171 CIR reports showed that\n    157 (92 percent) contained incomplete information in one or more sections when\n    compared to criteria in Circular A-11. Information addressing security and\n    privacy and enterprise architecture was missing or incomplete.\n\n    Security Funding. Circular A-11 requires DoD Components to describe how\n    security is provided and funded and to report the total dollars allocated for\n    IT security for all FY 2006 investments. Circular A-11 also requires Components\n    to indicate whether an increase in IT security funding is requested to remediate\n    IT security weaknesses, and to specify the amount and a general description of the\n    weakness. Fifty-four of 171 CIR submissions (32 percent) were incomplete.\n    Thirty-two submissions contained requests for FY 2005 security funding instead\n    of the required FY 2006 funding. Six Components did not provide a security\n    funding amount and we were unable to determine the amount of security funding\n    requested for four investments based on the information given. One additional\n    Component specified a security funding dollar amount, but stated, \xe2\x80\x9cI am not sure\n    where the dollar amount came from.\xe2\x80\x9d In addition, 13 Components did not state\n    how security was provided and funded for their investments and 4 Components\n    provided incomplete information on whether an increase in IT security funding is\n    required to remediate security weaknesses. Table 1 summarizes DoD\n    Components CIRs incomplete security funding information responses for\n    FY 2006 and for FY 2005.\n\n\n\n\n                                        4\n\x0c               Table 1. Incomplete Submissions for Security Funding\n\n                                                        Percent Incomplete\n      DoD Component                                  FY 2006           FY 20051\n       Army                                            19                  55\n       Navy                                            39                  19\n       Air Force                                       36                   8\n       Defense agencies                                38                  28\n      1\n       As reported in DoD IG Report No. D-2005-002, \xe2\x80\x9cReporting of DoD Capital Investments\n      for Technology in Support of the FY 2005 Budget Submission,\xe2\x80\x9d October 12, 1004\n\n\nCertification and Accreditation. Circular A-11 requires DoD Components to\nverify full certification and accreditation of IT for which investments are made,\nspecify the methodology used, and provide the date of the last certification and\naccreditation review. Full certification and accreditation refers to the authority to\noperate and excludes interim authority to operate. All IT for which investments\nare made must be fully certified and accredited before becoming operational.\nAnything less than full certification and accreditation indicates that identified IT\nsecurity weaknesses remain. These weaknesses must be corrected before funding\nfor the investment can be justified. Fifty of 171 (29 percent) investments reviewed\nwere not fully certified and accredited or gave incomplete answers. Inadequate\nresponses included investments with interim authority to operate, no date of last\nreview, no statement of compliance with the DoD Information Technology\nSecurity Certification and Accreditation Process, or whether authority to operate\nhad been granted. Components stated that certification and accreditation approval\nwas pending. One stated that it was in the planning phase and that certification\nand accreditation approval was not required, though the IT investment was in the\nfull acquisition phase. Table 2 summarizes DoD Components CIRs incomplete or\nnoncompliant certification and accreditation responses for FY 2006 and for\nFY 2005.\n\n          Table 2. Incomplete Certification and Accreditation Submissions\n\n                                                        Percent Incomplete\n  DoD Component                                      FY 2006           FY 20051\n   Army                                                33                  50\n   Navy                                                12                  56\n   Air Force                                           27                  33\n   Defense agencies                                    36                  33\n  1\n  As reported in DoD IG Report No. D-2005-002.\n\n\n\n\n                                           5\n\x0cIncident Handling and Reporting. Circular A-11 requires Components to\nreport on how they incorporated incident-handling capability into the system or\ninformation technology investment and to include a summary of intrusion\ndetection monitoring and a review of audit logs. Circular A-11 also requires\nComponents to report on incidents that are reported to the Department of\nHomeland Security Federal Computer Incident Response Center. Sixty-seven of\n171 (39 percent) Capital Investment Reports did not contain the required\ninformation for this area. Sixty-two CIRs failed to address all three elements of\nthis question. One Component responded that it did not need to address this area.\nSome Components stated that their systems were still in development and did not\naddress the question, and other Components stated that incident handling would\nbe incorporated into the system in the future.\n\nSecurity Plans. Circular A-11 requires Components to report whether\ninformation technology investments have an up-to-date security plan and to\nprovide the date and other details of the plan. A simple reference to security\nplans or other documents is not an acceptable response as stipulated in\nCircular A-11. Twenty-eight of 171 (16 percent) investments reviewed did not\nanswer those questions adequately or did not confirm that they had a security\nplan. Components did not always provide information supporting the existence of\na security plan or plan dates.\n\nContractor Security. Circular A-11 requires Components to report whether a\ncontractor operated the system on-site or at a contractor facility and whether the\ncontract includes specific security requirements required by law and policy.\nCircular A-11 also requires Components to describe how contractor security\nprocedures are monitored, verified, and validated. Twenty-seven of\n171 (16 percent) CIRs did not completely address all elements for this area.\nOther Component responses stated that the IT investment was not a system, and\ntherefore did not include a response. The majority of the investments contained\npartial responses.\n\nSecurity Testing. Circular A-11 requires Components to report whether\nmanagement, operational, and technical security controls were tested for\neffectiveness and when the most recent tests were performed. Twenty-two of\n171 (13 percent) CIRs reviewed did not contain the required information to\nadequately respond to this question. Some Components failed to confirm whether\ncontrols were tested and others did not provide dates.\n\nSecurity Training. Circular A-11 requires DoD Components to report whether\nall system users were appropriately trained in the past year, including rules of\nbehavior and consequences for violating those rules. Twenty-one of\n171 (12 percent) CIRs did not contain the necessary information to complete this\nquestion.\n\n       \xe2\x80\xa2   Reponses for 11 investments did not verify training for system users.\n\n       \xe2\x80\xa2   Reponses for 3 investments were unclear or provided no answer.\n\n       \xe2\x80\xa2   Responses for 7 investment said that the investment was not a system\n           or that the investment was in development.\n\n\n                                     6\n\x0cTable 3 summarizes the incomplete submissions for the security questions for\nFY 2006 and for FY 2005.\n\n          Table 3. Incomplete Submissions for Security Questions\n\n                                                    Percent Incomplete\n  Question                                       FY 2006           FY 20051\n   Security Plans                                  17                  8\n   Contractor Security                             16                  6\n   Security Testing                                13                  6\n   Security Training                               12                  3\n  1\n  As reported in DoD IG Report No. D-2005-002.\n\n\nProtection of Systems with Public Access. Circular A-11 requires Components\nto report how agencies use security controls and authentication tools to protect\nprivacy of systems that promote or permit public access. Component responses\nfor this element were highly compliant; only 2 of 171 (1 percent) CIRs were\nincomplete.\n\nProper Handling of Personal Information. Circular A-11 requires agencies to\nhandle personal information consistent with relevant Government-wide and\nagency policies. Component responses for this element were highly compliant;\nonly 5 of 171 (3 percent) CIRs were incomplete.\n\nFederal Information Security Management Act. The Federal Information\nSecurity Management Act requires agencies to integrate IT security into their\ncapital planning and enterprise architecture processes, to conduct annual\nIT security reviews of all programs and systems, and to report the results of those\nreviews to OMB. In August 2004, the Director, OMB stated in a memorandum\nthat all agency systems must be reviewed annually. Circular A-11 requires\nComponents to report whether they reviewed investments as part of the FY 2004\nFederal Information Security Management Act reporting process, whether the\nreview indicated any weaknesses, and whether the weaknesses were included in a\ncorrective action plan. One hundred and eleven of 171 (65 percent) CIRs\nresponded that the investment was reviewed as a part of the FY 2004 Federal\nInformation Security Management Act review process. Of those 110 investments\nthat were reviewed, 14 (13 percent) reported that weaknesses had been found and\nthat the weaknesses were included in a corrective action plan. Sixty of\n171 investments (35 percent) reported that they were not reviewed as part of the\n2004 Federal Information Security Management Act review process. We found\nabnormalities in four CIRs. The Navy, the Air Force, and the Defense Finance\nand Accounting Service submitted investment reports stating that no weaknesses\nwere found during the 2004 Federal Information Security Management Act\nreview process; however, the reports did state that weaknesses were included in a\ncorrective action plan. Table 4 summarizes the percentage of investments\nreviewed under the Federal Information Security Management Act review process\n\n\n                                       7\n\x0cand the percentage of investments with stated weaknesses that were included in\ntheir corrective actions plans for FY 2006 and for FY 2005.\n\n  Table 4. Federal Information Security Management Act Review Process\n\n                                                   FY 2006         FY 20051\n  Percent Reviewed Under FY 2004 Act                  64               48\n  Percent of Weaknesses Identified and                13               13\n  Included in a Corrective Action Plan\n  1\n   As reported in DoD IG Report No. D-2005-002.\n\n\nEnterprise Architecture Identification. The Federal Enterprise Architecture is\na business and performance-based framework developed to facilitate\nGovernment-wide organization and collaboration efforts, so that all Government\nagencies are efficiently working toward the same goal of serving the public.\nAgencies submit information on the planning, acquisition, management, and use\nof IT investments to OMB in the Circular A-11 Exhibit 300s. This information\nassists OMB in making budget decisions and determining whether the agency\npractice is consistent with OMB policies and guidance. Each agency should map\nthe IT investments to the reference models for Federal Enterprise Architecture\nwhich can identify potential opportunities to collaborate with other Federal\nagencies and eliminate redundant spending. Circular A-11 requires Components\nto report whether the investment is identified in the agency\xe2\x80\x99s enterprise\narchitecture, and provide an explanation if the investment is not identified. All\n171 (100 percent) CIR submissions stated that the investment was identified in\ntheir agency\xe2\x80\x99s enterprise architecture.\n\nModernization Blueprint. Circular A-11 requires Components to report whether\nthe IT investment is consistent with the agency \xe2\x80\x98to be\xe2\x80\x99 modernization blueprint.\nThe Exhibit 300 must demonstrate either that the existing investment is meeting\nthe needs of the agency and the expected performance, or that the investment is\nbeing modernized and replaced consistent with the modernization blueprint.\nFour of 171 (2.3 percent) CIRs did not completely address the required\ninformation for this area. Two of the IT investments were legacy enterprise\nsystems that will be discontinued.\n\nEnterprise Architecture Review Committee. Circular A-11 requires\nComponents to report whether the IT investment was approved through the\nagency\xe2\x80\x99s Enterprise Architecture Review Committee. Five of 171 (3 percent)\nCIRs were not approved through their agency\xe2\x80\x99s Enterprise Architecture Review\nCommittee.\n\nProcess Simplification, Reengineering, and Design Projects. Circular A-11\nrequires Components to report what major process simplification, reengineering,\nand design projects are required as part of their IT investment. Eighteen of\n171 (11 percent) CIRs did not completely provide information on the projects that\nwere required as part of their IT investment. Nine of the investments failed to\n\n\n                                        8\n\x0caddress all areas of the question. Five IT investments reported being exempt from\nredesigning because they were weapon systems. Two IT investments claimed\nthat major process simplification, reengineering, and design projects did not apply\nto National Security Systems. Other IT investment reports contained\nnon-responsive answers, or did not respond to the question.\n\nOrganization Restructuring, Training, and Change Management Projects.\nCircular A-11 requires Components to report what major organization\nrestructuring, training, and change management projects are required. Eleven of\n171 (6 percent) CIRs did not provide the required information.\n\nFederal Enterprise Architecture Reference Models. The Federal Enterprise\nArchitecture is based on five reference models that identify duplicate investments,\ngaps in processes, and opportunities for collaboration through a cross analysis of\nall Federal agencies. This collaboration can then provide a common structure for\nall agencies to improve their lines of business, such as budget allocation,\ninformation sharing, and performance measurement.\n\nCircular A-11 requires Components to provide information on three models, the\nBusiness Reference Model, Service Component Reference Model, and Technical\nReference Model. The Business Reference Model describes the mission and\npurpose of the Federal Government through an organized, hierarchical structured\nformat of the day-to-day business operations. The Service Component Reference\nModel is a framework that identifies how the Federal Government\xe2\x80\x99s service\nComponents, such as process automation, back office support technology, and\nanalytical services support business performance objectives and IT investments\nand assets. The Technical Reference Model provides a Component-based\nframework identifying standards, specifications, and technology used to construct\nand deliver service Component capabilities throughout the Federal Government.\nCollectively, these reference models establish a foundation to identify, design,\nand distribute service Components in IT investments across the Federal\nGovernment to yield the most efficient means of serving the public.\n\nLines of Business and Subfunctions. Circular A-11 requires Components to list\nall the lines of business and subfunctions from the Federal Enterprise Architecture\nBusiness Reference Model that the IT investment supports. All 171 investments\nprovided this list in a complete format.\n\nApplications, Components, and Technology. Circular A-11 requires\nComponents to discuss the major investments in relationship to the Service\nComponent Reference Model section of the Federal Enterprise Architecture,\nincluding a discussion of the Components included in the major IT investment.\nForty-two of 171 (25 percent) CIRs did not complete the table provided to\ndetermine how the investment related to the Service Component Reference Model\nsection of the Federal Enterprise Architecture. Circular A-11 also requires\nComponents to state whether all hardware, applications, components, and web\ntechnology requirements for the IT investment are included in the Agency\nEnterprise Architecture Technical Reference Model. Eight of the 171 (5 percent)\ndid not answer the question completely.\n\n\n\n\n                                     9\n\x0cCircular A-11 requires Components to discuss the major IT investment in\nrelationship to the Technical Reference Model section of the Federal Enterprise\nArchitecture, identifying each service area, service category, service standard, and\nservice specification that collectively describes the technology supporting the\nmajor IT investment. Seventy-three of the 171 (43 percent) CIRs did not\ncomplete the table provided to determine their relationship to the Technical\nReference Model section of the Federal Enterprise Architecture.\n\nCircular A-11 requires Federal agencies to state whether the application will\nleverage existing technology components or applications across the Government.\nFourteen of the 171 (8 percent) CIRs did not completely answer this question.\n\nCircular A-11 requires financial management systems and projects to be mapped\nto the agency\xe2\x80\x99s financial management system inventory that they provide\nannually to OMB, identifying the system name(s) and system acronym(s) as\nreported in the most recent systems inventory update. Ten of the 171 (5 percent)\nIT investments did not provide the appropriate information on whether the\ninvestment\xe2\x80\x99s Financial Management System was mapped to the agency\xe2\x80\x99s\nfinancial management system inventory.\n\nStatement of Compliance Requirement. Forty-seven percent of DoD\nComponents did not provide the required statement of compliance when\nsubmitting their Capital Investment Reports in support of the FY 2006 DoD\nBudget Estimate Submission. In June 2004, DoD revised DoD Financial\nManagement Regulation, Volume 2B, \xe2\x80\x9cBudget Formulation and Presentation,\xe2\x80\x9d to\nrequire DoD Component Chief Information Officers and Chief Financial Officers\nto sign a joint or coordinated transmittal memorandum stating that IT submissions\nare complete; accurately aligned with primary budget, program and acquisition\nmaterials; and are consistent with the requirements of Circular A-11.\n\nThe Financial Management Regulation states that statements of compliance must\nbe submitted within 10 calendar days of the submission due date for electronic\nprogram and budget submission in September and within 10 calendar days after\nthe Five Year Defense Plan has \xe2\x80\x9clocked\xe2\x80\x9d for the final IT submission for the\nPresident\xe2\x80\x99s Budget. Component IT budget submissions are entered into the\nInformation Management Technology Application database administered by\nASD(NII) and submitted to OMB for the DoD Budget Estimate Submission and\nto Congress for the President\xe2\x80\x99s Budget. Component IT CIRs not accompanied by\na statement of compliance convey uncertainty about their completeness and\naccuracy as well that of the Information Management Technology Application\ndatabase used to identify and justify the DoD IT budget request to OMB and\nCongress. Submission of Component IT investment reports to OMB in support of\nthe DoD Budget Estimate Submission should be postponed until Component\nstatements of compliance are submitted to ASD(NII). Appendix B identifies the\nstatus of DoD Components for the FY 2006 statement of compliance.\nAppendix C identifies the Exhibit 300 questions we reviewed.\n\nDoD Self-Assessment of Component Submissions. On July 19, 2004, the\nASD(NII)/DoD CIO issued policy and guidance for completing and submitting\nthe FY 2006 CIRs. Starting with the FY 2006 Exhibit 300 submissions, the\nDirector of Resources, Office of the ASD(NII)/DoD CIO was required to score all\n\n\n                                    10\n\x0c    investment report submissions using the newly established internal DoD self-\n    assessment process.\n\n    Office of Management and Budget Watch List. The OMB watch list is used to\n    assess the potential risks that a particular IT investment poses. The assessment\n    may determine that additional funding is not suitable for that investment. The\n    OMB has a set of criteria to score 10 different areas of the Capital Investment\n    Reports, based on a score of one to five, five being the highest. The individual\n    scores are then added to form a raw score for the Business Case. If any\n    investment receives a score lower than four for security and privacy, the\n    investment is placed on the OMB watch list. An investment is also placed on the\n    watch list if the overall raw score for the Business Case is below 31.\n\n    OMB placed 41 (24 percent) DoD FY 2006 initiatives on the OMB FY 2006\n    watch list. OMB assigned 22 investments with failing scores for security; the\n    DoD self-assessment also scored 17 of the same 22 investments with failing\n    scores. DoD and OMB assigned passing scores to the same eight watch list\n    investments for security. OMB assigned security passing scores to an additional\n    11 initiatives, which DoD scored as failing. Six of the 11 DoD-scored initiatives,\n    received scores of two and below. Greater coordination between DoD and OMB\n    on scoring criteria would benefit the CIR evaluation process. Self-assessment\n    time constraints prevented Components from revising deficient initiatives before\n    submitting them to OMB in September 2004.\n\n\nConclusion\n    The quality of DoD information reported on Security and Privacy and Enterprise\n    Architecture to OMB had limited value because it did not demonstrate, in\n    accordance with OMB and DoD guidance, that DoD was effectively managing its\n    requested $30 billion IT investment for FY 2006. Although reasonable\n    explanations existed for some missing and incomplete data, that rationale could\n    not be applied systemically for the majority of missing or incomplete information\n    responses.\n\n    Although CIRs are officially submitted to OMB twice yearly, Components should\n    use them as management tools and update the reports as the information becomes\n    available. Information reported in CIRs help management ensure that spending\n    on capital assets directly supports an agency\xe2\x80\x99s mission and will provide a return\n    on investment equal to or better than alternative uses of funding.\n\n    Submission of incomplete reports jeopardizes appropriate funding and diminishes\n    the overall usefulness of CIRs. The quality of the data collected is of particular\n    concern because DoD plans to use data collected for Exhibit 300 purposes to\n    respond to other congressional information requests, such as those contained in\n    the National Defense Authorization Act for FY 2005.\n\n\n\n\n                                        11\n\x0cRecommendations, Management Comments and\n  Audit Response\n    Revised Recommendation. As a result of management comments, and in light\n    of recent congressional and Deputy Secretary guidance concerning IT governance\n    (Appendix D), we revised Recommendation 1. to clarify our position on\n    improving the quality of IT reporting to OMB and Congress.\n\n    1. We recommend that the Under Secretary of Defense for Acquisition,\n    Technology, and Logistics, the Under Secretary of Defense for Personnel and\n    Readiness, the Under Secretary of Defense (Comptroller)/Chief Financial\n    Officer, and the Assistant Secretary of Defense for Networks and\n    Information Integration/DoD Chief Information Officer specify the processes\n    that will be followed to ensure that funds are not obligated to DoD\n    information technology and National Security System investments for which\n    the Office of Management and Budget requires a Form 300 Exhibit that are\n    not supported by complete and correct Capital Investment Reports and\n    accompanying signed statements of compliance from the Component Chief\n    Information Officers and Chief Financial Officers, as required by DoD\n    Regulation 7000.14-R, \xe2\x80\x9cFinancial Management Regulation.\xe2\x80\x9d\n\n    Management Comments. The Deputy Comptroller, responding for the Under\n    Secretary of Defense (Comptroller)/CFO, commented that responsibility for\n    review and compilation of information technology material, primarily the\n    IT-43 exhibits, was realigned from the Under Secretary of Defense (Comptroller)\n    to the Office of the Assistant Secretary of Defense (Command, Control,\n    Communications and Intelligence) on January 14, 1998, and the Under Secretary\n    of Defense (Comptroller) organization that was responsible for the IT-43 exhibits\n    has been disestablished. The Deputy Assistant Secretary of Defense (Resources),\n    responding on behalf of the Acting Assistant Secretary of Defense for Networks\n    and Information Integration/DoD Chief Information Officer, partially concurred\n    and commented that the concurrent DoD/OMB program and budget review\n    process rendered it neither feasible nor logical to withhold submission of\n    Component information technology budget requests that do not comply with\n    OMB and congressional requirements, and/or have not been certified by the\n    Component CIO and CFO as compliant with the requirements of the DoD\n    Regulation 7000.14-R, volume 2B, chapter 18. The Deputy Assistant Secretary\n    of Defense (Resources) commented she would enlist the help of the Office of the\n    Under Secretary of Defense (Comptroller) to enforce DoD Regulation 7000.14-R.\n\n    Audit Response. We agree that a 1998 realignment occurred; however, the\n    Congress and the Deputy Secretary of Defense have recently directed that the\n    Under Secretary of Defense for Acquisition, Technology, and Logistics; the\n    Under Secretary of Defense for Personnel and Readiness; and the Under Secretary\n    of Defense (Comptroller)/Chief Financial Office assume specific responsibilities\n    with regard to information technology governance, in addition to those\n    responsibilities assigned to the Assistant Secretary of Defense for Networks and\n    Information Integration/DoD Chief Information Officer (see Appendix D). We\n    request that the Under Secretary of Defense for Acquisition, Technology, and\n    Logistics, the Under Secretary of Defense for Personnel and Readiness, the Under\n\n\n                                       12\n\x0cSecretary of Defense (Comptroller)/Chief Information Officer, and the Assistant\nSecretary of Defense for Networks and Information Integration/DoD Chief\nInformation Officer provide comments on the final report.\n\n2. We recommend that the Under Secretary of Defense (Comptroller)/Chief\nFinancial Officer and the Assistant Secretary of Defense for Networks and\nInformation Integration/DoD Chief Information Officer improve the quality\nof information technology reporting to the Office of Management and\nBudget and Congress by expanding the self-assessment process to include\nmore time for DoD Components to revise deficient investments before\nmaking the initial submission to the Office of Management and Budget.\n\nManagement Comments. The Deputy Comptroller, responding for the Under\nSecretary of Defense (Comptroller)/CFO, commented that responsibility for\nreview and compilation of information technology material, primarily the\nIT-43 exhibits, was realigned from the Under Secretary of Defense (Comptroller)\nto the Office of the Assistant Secretary of Defense (Command, Control,\nCommunications and Intelligence) on January 14, 1998, and the Under Secretary\nof Defense (Comptroller) organization that was responsible for the IT-43 exhibits\nhas been disestablished. The Deputy Assistant Secretary of Defense (Resources),\nresponding on behalf of the Acting ASD(NII)/DoD CIO, concurred with the\nrecommendation and stated that she would provide time to revise the CIRs and\nthe FY 2007 Budget Estimate Submission.\n\nAudit Response. The Deputy Assistant Secretary of Defense (Resources)\ncomments are responsive to the recommendation and no further comments are\nrequested.\n\nManagement Comments to Appendix B. The Deputy Assistant Secretary of\nDefense (Resources), responding for the Acting ASD(NII)/DoD CIO stated that\nAppendix B was incorrect because it did not identify all the organizations\nrequired to provide statements of compliance. In addition, the American Forces\nInformation Service, the Defense Contract Management Agency, the Defense\nLogistics Agency, and TRICARE Management Agency did in fact provide\nstatements.\n\nAudit Response. DoD Regulation 7000.14-R requires that statements of\ncompliance be provided within 10 calendar days of the due date of the electronic\nsubmission of the program/budget submission in September. Appendix B reflects\ncopies of statement of compliance we received during the verification phase of\nthis audit. Additional statements of compliance were provided after issuance of\nthe draft report on March 29, 2005. Appendix B reflects only the Components\nrequired to prepare a FY 2006 CIR.\n\n\n\n\n                                   13\n\x0cAppendix A. Scope and Methodology\n    We examined all 171 CIRs that DoD submitted to OMB for the FY 2006 DoD\n    Budget Request. We limited our review to evaluating responses in the data\n    elements of security funding, certification and accreditation, incident handling\n    and reporting, security plans, contractor security, security testing, security\n    training, protecting systems accessible to the public, and handling private\n    information. We also reviewed the responses in the data elements pertaining to\n    enterprise architecture.\n\n    We reviewed DoD Component responses on whether they reviewed\n    IT investments during the FY 2004 Federal Information Security Management\n    Act reporting process. We evaluated the reporting process and the completeness\n    of information for report elements, based on report preparation guidance from\n    Circular A-11 and DoD Regulation 7000.14-R. We did not validate information\n    submitted by DoD Components in the CIRs.\n\n    We also reviewed relevant documents pertaining to report submissions dating\n    from December 2002 through May 2005. We met with the analyst responsible for\n    IT budget reports within ASD(NII) to gain an overall understanding of the\n    FY 2006 IT budget process. We reviewed the results of the initial DoD self-\n    assessment of IT budget submissions for FY 2006.\n\n    We performed this audit from October 2004 through May 2005 in accordance\n    with generally accepted government auditing standards. We did not review the\n    management control program because it was reviewed in DoD Inspector General\n    Report No. D-2005-023, \xe2\x80\x9cAssessment of DoD Plan of Action and Milestones\n    Process,\xe2\x80\x9d December 13, 2004 and addressed in DoD Inspector General Report\n    No. D-2005-029, \xe2\x80\x9cManagement of Information Technology Resources Within\n    DoD,\xe2\x80\x9d January 27, 2005.\n\n    Use of Computer-Processed Data. We did not use computer-processed data to\n    perform this audit.\n\n    Government Accountability Office High-Risk Area. The Government\n    Accountability Office has identified several high-risk areas in DoD. This report\n    provides coverage of DoD IT Management.\n\n\nPrior Coverage\n    During the last 5 years, the Government Accountability Office and the\n    Department of Defense Inspector General have issued five reports discussing the\n    reliability of DoD IT budget submission. Unrestricted Government\n    Accountability Office reports can be accessed over the Internet at\n    http://www.gao.gov. Unrestricted DoD Inspector General reports can be accessed\n    at http://www.dodig.mil/audit/reports.\n\n\n\n\n                                        14\n\x0cGAO\n      GAO Report No. GAO-04-115, \xe2\x80\x9cImprovements Needed in the Reliability of\n      Defense Budget Submissions,\xe2\x80\x9d December 19, 2003\n\nDepartment of Defense Office of Inspector General (DoD IG)\n      DoD Inspector General Report No. D-2005-029, \xe2\x80\x9cManagement of Information\n      Technology Resources Within DoD,\xe2\x80\x9d January 27, 2005\n\n      DoD Inspector General Report No. D-2005-023, \xe2\x80\x9cAssessment of DoD Plan of\n      Action and Milestones Process,\xe2\x80\x9d December 13, 2004\n\n      DoD Inspector General Report No. D-2005-002, \xe2\x80\x9cReporting of DoD Capital\n      Investments for Technology in Support of the FY 2005 Budget Submission,\xe2\x80\x9d\n      October 12, 2004\n\n      DoD Inspector General Report No. D-2004-081, \xe2\x80\x9cReporting of DoD Capital\n      Investments for Information Technology,\xe2\x80\x9d May 7, 2004\n\n\n\n\n                                       15\n\x0cAppendix B. FY 2006 Statement of Compliance\n            Submissions by DoD Components\n\n\n                                            Submitted a Statement of\n                                             Compliance for Budget\n     DoD Component                            Estimate Submission\n\n      Navy                                                    No\n      TRICARE Management Agency                               No\n      Defense Logistics Agency                                No\n      Defense Commissary Agency                               No\n      American Forces Information Service                     No\n      Defense Contract Management Agency                      No\n      Defense Information Systems Agency                      No\n      Army                                     Yes\n      Air Force                                Yes\n      Defense Human Resource Activity          Yes\n      Missile Defense Agency                   Yes\n      Defense Finance Accounting Service       Yes\n      U.S. Transportation Command              Yes\n      Office of Secretary of Defense           Yes\n      Washington Headquarters Services         Yes\n       Total                                    8              7\n\n\n\n\n                                       16\n\x0cAppendix C. Exhibit 300 Questions Reviewed\n   Part I:\n\n   d. Was this project reviewed as part of the FY 2004 Federal Information Security\n   Management Act review process?\n\n   d.1. If yes, were any weaknesses found?\n\n   d.2. Have the weaknesses been incorporated into the agency\xe2\x80\x99s corrective action\n   plans?\n\n   Part II:\n\n   II.A. Enterprise Architecture\n\n   A. Is this project identified in your agency\xe2\x80\x99s enterprise architecture? If not, why?\n\n   A.1. Will this investment be consistent with your agency\xe2\x80\x99s \xe2\x80\x9cto be\xe2\x80\x9d modernization\n   blueprint?\n\n   B. Was this investment approved through the EA review committee at your\n   agency?\n\n   C. What are the major process simplification/reengineering/design projects that\n   are required as part of this Information Technology investment?\n\n   D. What are the major organization restructuring, training, and change\n   management projects that are required?\n\n   E. Please list all the Lines of Business and Sub-Functions from the FEA Business\n   Reference Model that this Information Technology investment supports.\n\n   II.A.3. Applications, Components, and Technology\n\n   A. Discuss this major investment in relationship to the Service Component\n   Reference Model Section of the FEA.\n\n   B. Are all of the hardware, applications, components, and web technology\n   requirements for this investment included in the Agency EA Technical Reference\n   Model? If not, please explain.\n\n   C. Discuss this major Information Technology investment in relationship to the\n   Technical Reference Model section of the FEA.\n\n   D. Will the application leverage existing components and/or applications across\n   the Government (i.e., FirstGov, Pay.Gov, etc)? If so, please describe.\n\n   E. Financial Management Systems and Projects, as indicated in Part One, must\n   be mapped to the agency\xe2\x80\x99s financial management system inventory provided\n\n\n                                       17\n\x0cannually to the Office of Management and Budget. Please identify the system\nname(s) and system acronym(s) as reported in the most recent systems inventory\nupdate required by Circular A-11 section 52.4.\n\nII.B. Security and Privacy\n\nII.B.1. How is security provided and funded for this investment (e.g., by program\noffice or by the CIO through the general support system/network)?\n\nA. What is the total dollar amount allocated to Information Technology security\nfor this investment in FY 2006? Please indicate whether an increase in\nInformation Technology security funding is requested to remediate Information\nTechnology security weaknesses, specifying the amount and a general description\nof the weakness.\n\nII.B.2. Please describe how the investment (system/application) meets the\nfollowing security requirements of the Federal Information Security Management\nAct, Office of Management and Budget policy, and NIST guidelines:\n\nA. Does the investment (system/application) have an up-to-date security plan that\nmeets the requirements of OMB policy and NIST guidelines? What is the date of\nthe plan?\n\nB. Has the investment been certified and accredited?\n\nC. Have the management, operational, and technical security controls been tested\nfor effectiveness? Then were the most recent tests performed?\n\nD. Have all system users been appropriately trained in the past year, including\nrules of behavior and consequences for violating the rules?\n\nE. Has incident handling capability been incorporated into the system or\ninvestment, including intrusion detection monitoring and audit log reviews? Are\nincidents reported to DHS\xe2\x80\x99 FedCIRC?\n\nF. Is the system operated by contractors either on-site or at a contractor facility?\nIf yes, does any such contract include specific security requirements required by\nlaw and policy? How are contractor security procedures monitored, verified, and\nvalidated by the agency?\n\n\n\n\n                                     18\n\x0cAppendix D. Recent Information Technology\n            Guidance\n   1. Public Law 108-375, Section 332, \xe2\x80\x9cRonald W. Reagan National Defense\n   Authorization Act for Fiscal Year 2005.\xe2\x80\x9d Section 2222 requires the Secretary of\n   Defense to delegate responsibility for review, approval, and oversight of the\n   planning, design, acquisition, deployment, operation, maintenance, and\n   modernization of defense business systems to the:\n\n          \xe2\x80\xa2   Under Secretary of Defense for Acquisition, Technology, and\n              Logistics for any defense business system the primary purpose of\n              which is to support acquisition activities, logistics activities, or\n              installations and environment activities of the Department of Defense;\n\n          \xe2\x80\xa2   Under Secretary of Defense (Comptroller) for any defense business\n              system the primary purpose of which is to support financial\n              management activities or strategic planning and budgeting activities of\n              the Department of Defense;\n\n          \xe2\x80\xa2   Under Secretary of Defense for Personnel and Readiness for any\n              defense business system the primary purpose of which is to support\n              human resource management activities of the Department of Defense;\n              and\n\n          \xe2\x80\xa2   Assistant Secretary of Defense for Networks and Information\n              Integration and the Chief Information Officer of the Department of\n              Defense for any defense business system the primary purpose of which\n              is to support information technology infrastructure or information\n              assurance activities of the Department of Defense National Defense\n              Authorization Act 2005.\n\n   2. Deputy Secretary of Defense Memorandum, \xe2\x80\x9cDepartment of Defense (DoD)\n   Business Transformation,\xe2\x80\x9d February 7, 2005:\n\n          \xe2\x80\xa2   Establishes the Defense Business Systems Management Committee\n              (DBSMC) mandated by Public Law 108-375;\n\n          \xe2\x80\xa2   Charges the DBSMC with responsibility for ensuring that funds are\n              obligated for Defense Business Systems Modernization in accordance\n              with section 332 of Public Law 108-375; and\n\n          \xe2\x80\xa2   Directs that the Under Secretary of Defense for Acquisition,\n              Technology, and Logistics; the Under Secretary of Defense\n              (Comptroller); the Under Secretary of Defense for Personnel and\n              Readiness and ASD(NII)/DoD CIO serve as members of the DBSMC.\n\n\n\n\n                                       19\n\x0c3. Deputy Secretary of Defense Memorandum, \xe2\x80\x9cDelegation of Authority and\nDirection to Establish an Investment Review Process for Defense Business\nSystems,\xe2\x80\x9d March 19, 2005:\n\n       \xe2\x80\xa2   Delegates authorities to the Under Secretary of Defense for\n           Acquisition, Technology, and Logistics; the Under Secretary of\n           Defense (Comptroller); the Under Secretary of Defense for Personnel\n           and Readiness and ASD(NII)/DoD CIO for review, approval, and\n           oversight of the planning, design, acquisition, deployment, operation,\n           maintenance, and modernization of defense business systems as\n           required by 10 U.S.C. Section 2222(f); and\n\n       \xe2\x80\xa2   Retains authority with the Deputy Secretary of Defense for any\n           defense business system the primary purpose of which is to support\n           any DoD activity not covered by the above delegations.\n\n4. Deputy Secretary of Defense Memorandum, \xe2\x80\x9cImplementation Guidance on the\nRealignment of the Department of Defense (DoD) Business Transformation\nProgram Management Office,\xe2\x80\x9d March 24, 2005, transfers program management,\noversight and support responsibilities regarding DoD business transformation\nefforts from the Office of the Under Secretary of Defense (Comptroller) to the\nOffice of the Under Secretary of Defense for Acquisition, Technology, and\nLogistics.\n\n5. DoD Directive 5144.1, \xe2\x80\x9cAssistant Secretary of Defense Networks and\nInformation Integration/DoD Chief Information Officer (ASD(NII/DoD CIO),\xe2\x80\x9d\nMay 2, 2005, requires that the ASD(NII)/DoD CIO, among other duties, review\nand provide recommendations to the Secretary and the Heads of the DoD\nComponents on:\n\n       \xe2\x80\xa2   The performance of the Department\xe2\x80\x99s IT and NSS programs (to\n           include monitoring and evaluating the performance of IT and NSS\n           programs on the basis of all applicable performances);\n\n       \xe2\x80\xa2   DoD budget requests for IT and National Security System pursuant to\n           section 2223 of Title 10, U.S.C.;\n\n       \xe2\x80\xa2   The continuation, modification, or termination of an IT and/or\n           National Security System programs or project pursuant to section 1425\n           of Title 40, U.S.C.; and\n\n       \xe2\x80\xa2   The continuation, modification, or termination of an NII or CIO\n           program pursuant to the Federal Information Security Management\n           Act of 2002 as part of Public Law 107-347, Executive Order 13011,\n           and other applicable authorities.\n\n6. \xe2\x80\x9cDoD Investment Review Process Overview and Concept of Operations for\nInvestment Review Boards,\xe2\x80\x9d May 11, 2005, establishes the OSD Investment\nReviews and will leverage OMB Exhibit 300 reports as well as existing Major\nAutomated Information System processes.\n\n\n\n                                    20\n\x0cAppendix E. Report Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense for Acquisition, Technology, and Logistics\nUnder Secretary of Defense (Comptroller)/Chief Financial Officer\nUnder Secretary of Defense for Personnel and Readiness\nAssistant Secretary of Defense for Networks and Information Integration/Chief\n   Information Officer\nDirector, Program Analysis and Evaluation\n\nJoint Staff\nDirector, Joint Staff\n\nDepartment of the Army\nAssistant Secretary of the Army (Financial Management and Comptroller)\nChief Information Officer, Department of the Army\nAuditor General, Department of the Army\n\nDepartment of the Navy\nAssistant Secretary of the Navy (Financial Management and Comptroller)\nChief Information Officer, Department of the Navy\nNaval Inspector General\nAuditor General, Department of the Navy\n\nDepartment of the Air Force\nAssistant Secretary of the Air Force (Financial Management and Comptroller)\nChief Information Officer, Department of the Air Force\nAuditor General, Department of the Air Force\n\nOther Defense Organizations\nDirector, Defense Finance and Accounting Service\nDirector, Defense Information Systems Agency\n\nNon-Defense Federal Organization\nOffice of Management and Budget\n\n\n\n\n                                          21\n\x0cCongressional Committees and Subcommittees, Chairman and\n  Ranking Minority Member\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\nHouse Committee on Armed Services\nHouse Committee on Government Reform\nHouse Subcommittee on Government Efficiency and Financial Management, Committee\n  on Government Reform\nHouse Subcommittee on National Security, Emerging Threats, and International\n  Relations, Committee on Government Reform\nHouse Subcommittee on Technology, Information Policy, Intergovernmental Relations,\n  and the Census, Committee on Government Reform\n\n\n\n\n                                        22\n\x0cUnder Secretary of Defense (Comptroller)/Chief\nFinancial Officer Comments\n\n\n\n\n                      23\n\x0c24\n\x0cAssistant Secretary of Defense for Networks and\nInformation Integration/DoD Chief Financial\nOfficer Comments\n\n\n\n\n                       25\n\x0cFinal Report\n Reference\n\n\n\n\nRevised\n\n\n\n\n               26\n\x0c     Final Report\n      Reference\n\n\n\n\n     Revised\n\n\n\n\n27\n\x0c28\n\x0cTeam Members\nThe Department of Defense Office of the Deputy Inspector General for Auditing,\nAcquisition and Technology Management prepared this report. Personnel of the\nDepartment of Defense Office of Inspector General who contributed to the report\nare listed below.\n\nKathryn M. Truex\nRobert L. Shaffer\nGeorge A. Leighton\nRobert R. Johnson\nTina N. Brunetti\nRebecca S. Courtade\nCourtney E. Woodruff\nJames J. Buscaigio\nCindy L. Gavura\n\x0c'